SIDN – the registry for the .nl domain – announced today that the .nl domain has been signed successfully. We are of course very happy with this because this means that at some point in the near future we can submit a DS for our domains under the friends and fans programme that SIDN has […]

One of the factors that delayed the adoption of DNSSEC has been the privacy of the information stored in it. This is a topic of debate, as DNS has always been designed as a public database, but the Internet of today cannot be reigned from purely technical motivations. The problem is with securely denying a […]

For a paper I’m writing on state-of-the-art cryptography and applications of cryptography I’ve drawn a picture of the complete trust chain required to validate the answer to a query for www.surfdnssec.org (which is in one of our test domains and is a CNAME pointing to this blog). It really drives home how complex DNSSEC can […]

In our architecture, we consider three levels of users: End users who understand DNS at a conceptual level Operators who understand DNS at an operational level Security officers who are mindful about the cryptographic intricacies of DNSSEC After initial setup has been done, a security officer only needs to oversee the secure operation of the […]

We prefer to run our infrastructure on open platforms. For our DNS infrastructure we have chosen to run it on top of Red Hat Enterprise Linux version 5.x. Since we have deployed DNSSEC, we have run into a number of problems, and to save you the trouble of having to run into and solve these […]

In our architecture, we opt for Hardware Security Modules (or HSMs) as secure key stores. This helps us with high-availability of key material, and thus of our signed domains, but it also poses us with some limitations. An HSM generally has a limited number of keys that it can store. Had we opted for a […]